Bugzilla – Bug 1202423
VUL-0: CVE-2022-35978: minetest: Mod scripts can escape sandbox in single player
Last modified: 2023-01-03 14:20:48 UTC
CVE-2022-35978 Minetest is a free open-source voxel game engine with easy modding and game creation. In **single player**, a mod can set a global setting that controls the Lua script loaded to display the main menu. The script is then loaded as soon as the game session is exited. The Lua environment the menu runs in is not sandboxed and can directly interfere with the user's system. There are currently no known workarounds. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-35978 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35978 https://github.com/minetest/minetest/commit/da71e86633d0b27cd02d7aac9fdac625d141ca13 https://github.com/minetest/minetest/security/advisories/GHSA-663q-pcjw-27cc https://dev.minetest.net/Changelog#5.5.0_.E2.86.92_5.6.0
Affected: - openSUSE:Backports:SLE-15-SP3/minetest 5.2.0 - openSUSE:Backports:SLE-15-SP4/minetest 5.4.1 - openSUSE:Factory/minetest 5.5.1
Unfortunately I'm currently on vacation and can't fix the issue right now - once I'm back in about 8 days I'll try to update Minetest to 5.6.0 in TW ASAP. I have zero experience when it comes to packaging for Leap so the patch backport might take a lot longer / I might not be able to do that at all. For now I'd advise all users to switch to the Flatpak version of minetest until the issue is resolved.
This is an autogenerated message for OBS integration: This bug (1202423) was mentioned in https://build.opensuse.org/request/show/998676 Backports:SLE-15-SP3+Backports:SLE-15-SP4 / minetest
openSUSE-SU-2023:0001-1: An update that solves one vulnerability and has two fixes is now available. Category: security (important) Bug References: 1181400,1193141,1202423 CVE References: CVE-2022-35978 JIRA References: Sources used: openSUSE Backports SLE-15-SP4 (src): minetest-5.6.0-bp154.2.3.5 openSUSE Backports SLE-15-SP3 (src): minetest-5.6.0-bp153.2.3.1